The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The file SKILL.md contains hardcoded Brand IDs and Secret Keys. These are explicitly identified as test credentials provided by the Klix merchant portal for development and testing purposes.
[EXTERNAL_DOWNLOADS]: In references/pay-later-widget.md, the skill references external JavaScript modules from klix.blob.core.windows.net. These are official assets from the payment provider used for displaying installment widgets.
[PROMPT_INJECTION]: The skill defines a workflow for ingesting external data via payment callbacks and API responses, which is a potential surface for indirect prompt injection.
Ingestion points: Data enters the agent context through the success_callback endpoint and the purchase status API responses from portal.klix.app.
Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions for the data returned by the API.
Capability inventory: The skill requires network access for API communication and suggests database update operations.
Sanitization: The documentation recommends server-side status verification to ensure payment integrity, though it does not provide specific code for sanitizing the input data.

klix-integration